ARP Poison Routing: Wireshark Without a Monitor Port

ARP Poison Routing: Wireshark Without a Monitor Port

It’s 11:00 pm and the network isn’t working. You need to figure out a way to get a copy of Wireshark somewhere useful without digging through network closets for the monitor port on the master switch. But you’re too tired (or maybe too lazy) to go set up a monitor port and figure out where it’s physically located.

Sound familiar?

Luckily, there is a clever trick to see everything without having a monitor port on the router. Ettercap is a tool that allows for ARP Poison Routing (APR). APR is a useful technique to convince the network you are the gateway and, on the converse, convince the gateway that you are the network. This is done by sending carefully crafted ARP replies over the network to overwrite the ARP caches (the tables that translate between IP and MAC addresses) of every node in scope. As soon as the process is complete, all network traffic goes through the poisoning device which can be running Wireshark or any other tool that deals with local network traffic. The best part of all, when you are done, it disappears in seconds without a trace. Keep in mind, while the tool is running SSL certificates will not validate on or from the targeted devices. Make sure all end users in scope are home for the night and nothing mission critical on the network requires an https connection.

I’ve listed out an easy to follow, step-by-step guideline to get a “man-in-the-middle” of your network traffic without needing to set up a monitor port on the master switch.

Step 1: Open Ettercap in graphical mode. This can be done with the command ettercap -G or by selecting it from your applications list.

Step 2: Enable network sniffing and bind Ettercap to an interface. In the top menu, select Sniff → Unified sniffing…

Step 3: Choose the interface you would like to use for sniffing. For wireless sniffing (yes, it actually works!), the interface name will probably start with wlan. For ethernet sniffing, the interface name will probably start with eth.

Step 4: In the menu, select Hosts → Scan for hosts.

Step 5: Open the host list by selecting Hosts → Hosts list from the menu.

Step 6: Select every device that you would like to see the traffic from. Then press Add to Target 1 to inform Ettercap that these are the devices to be poisoned.

Step 7: Now we need to tell Ettercap what plugins we want loaded. These allow for additional features, such as making sure the devices stay poisoned after the attack is started. In the menu, select Plugins → Manage the plugins.

Step 8: Double click the plugins named autoadd and repoison_arp. These will ensure the devices in the targets list keep sending their traffic to us until we terminate the attack.

Step 9: Now to start the attack. From the menu, select Mitm → ARP poisoning…

Step 10: Enable Sniff remote connections and press OK.

Step 11: Use your newly found “monitor port” for whatever you need, such as Wireshark.

It’s a simple and easy solution to help you circumvent your need for a monitor port if you either don’t have one or don’t have access to one. Let us know what other tools, situations, and devices you have used Ettercap for.

Save my name, email, and website in this browser for the next time I comment.

About T2 Tech Group

We are a leader in the practical application of technology for healthcare and a range of other industries. Since our founding in 2006, we have consistently delivered quality consulting and management advisory services to executives and IT leaders. Unlike many consulting firms, we have no financial interest in vendor selection, freeing our company to focus completely on realizing client goals. Our team balances business and IT needs, uses a proven framework, can see projects from assessment to post-implementation, and practices transparency in everything we do.